From patchwork Wed Jun 26 16:53:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 167846 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp1186545ilk; Wed, 26 Jun 2019 09:55:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqxY9bDTZhP6VPT06WAko5Njf7fYgff69dpq5QsRWp48jWZnnp55g3q3vUMYoJWQ+OKcjkBf X-Received: by 2002:a17:90b:f0f:: with SMTP id br15mr16655pjb.101.1561568159109; Wed, 26 Jun 2019 09:55:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561568159; cv=none; d=google.com; s=arc-20160816; b=RbCk090ihPY78wh4YEuER7WP1q2s+BECM1QdmIRVk1FR7G/IGL4yHH5QTo98IP7D5d DkT1z47SMoPZg5cSHzxkqjA60AFMX7tpq1tma7lp293hB+SbbWNQXUtoblWECJ9z41mE AXXdVTrPU+A82TSk5GVtOlycaGEs4OJH3u4cIG9kfT8v66l28QhH6/3bYLryTZC4DWFk D8dfV1ijfXRbQn7JOrqewQtshn0fL2k9gLttzYhQToJmBVwrh03KlFVmqEvUe7ujsgBi zg9adajNzeSTbSoyFxh+UssrWWh+QsNmgGEDaKjZxIqOtoTv6oGqQkvDbUmlFV3xcprS 2U9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=jFSlrwhSNYdvG/yNy2uTvylBzygUJgKaeyqO8xrGTTM=; b=f4rV1hZ7RpIOtAkYTGb9KFVpbZka9UDXqCiOIz2xNrorYhTw8oer/E2Hp1rAytnlZl 3xOSS8jW7UnqSl+8tCVShtKvsKYU6T2og1w2T+hivIl6RQLpvrcxmOzwqxQTrskeEKdH x4VA0TALgK5E64F7Tn776bq7qOOEuZskDWSWD99ZormigyvR8EKfFTkMfp2l7tkRfXV9 3I6AGAd3azG6CYM6WW11eub1/R3XUR17edI7Jyg1eBCRx0g38oBK+377vrbvrXFILHhu PU7Z0R2VxWl9FCYlDDvdQhWkYIVHFP8y/HqJN/12c07Gyq529mfDJWTy2t/uBJk8cbxe QNDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=hgVFFH9T; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id i97si3916963plb.50.2019.06.26.09.55.58; Wed, 26 Jun 2019 09:55:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=hgVFFH9T; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 5E2BF7E769; Wed, 26 Jun 2019 16:54:48 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by mail.openembedded.org (Postfix) with ESMTP id 4FB477E692 for ; Wed, 26 Jun 2019 16:53:45 +0000 (UTC) Received: by mail-pg1-f170.google.com with SMTP id f25so1477314pgv.10 for ; Wed, 26 Jun 2019 09:53:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=i9A6RUbeHqED5lyBs1vAj2pf4izOS3Je3QrlVMcF2JU=; b=hgVFFH9TKvu65HGD5WpZFOXcWggySm1TUVhx6mVdZELlNsKsmixrNzY+Mu73n6bCSx YTd+CVGWvFlmKFxM3m2XbK+kB5ddHlJ/nwAcEkh+50HglhnMSUosfzK5YlSKmJEo7pLy NuOLnhCHd7HTjXf634qArCEfOPOOexj50gB6wlRqrw9PB/giF551yoNv88UQIixhlT5/ /9l1ZlnIQjlZvzoDVhULvmL1YSCNf8CoCLdzMqBUdAadkSNMj3Ywd5Leu6B6vp9qt11M iJlReNetdhS7ALNar1TLZzu3XW41d7OxvjHvVclDDUxiukeo+sGmGjhmqzG2N62Q8e1V HEjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=i9A6RUbeHqED5lyBs1vAj2pf4izOS3Je3QrlVMcF2JU=; b=KaJAO9183TvLjvi6wUPUw4SjS+ORA8uIsnCKypSbRQoiPzE1s/ZXWxijhPju7zuKs1 G/URfcGfmZaaUzdourLmfHucNBDGoc4v8RrjaJ9KXU3IdtBTfURs+gpkk9nXHykmAcB/ C3DHYkt5l29ipPPdixP85FdbZf9lpRZFXRub2LBKBTquISVNw+dU+fFK7zbDhXcCtkhG qUsMtc1Y39DZHi8RK/p32GS9Qa7lSAeU2yshtMLdzjE72VLIc2bvBH22atq9DRuzDFJN LxBZuGVkNbLpuUy2rKj4YUTpaDdB34weg5fBa3ut5M0UGlTW7hHy8Mlo4ECubTz5edld dtIA== X-Gm-Message-State: APjAAAVD8Y1K3gmFt8aTcNCU769jd++avM5+ZtYrHGWU6iNlUFy08YGY F0GQFkcv8wQGDCPij/L8Yqcv/HtlQ1k= X-Received: by 2002:a17:90a:eb08:: with SMTP id j8mr65215pjz.72.1561568026310; Wed, 26 Jun 2019 09:53:46 -0700 (PDT) Received: from localhost.localdomain ([45.19.219.178]) by smtp.gmail.com with ESMTPSA id t11sm15339687pgp.1.2019.06.26.09.53.45 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 26 Jun 2019 09:53:45 -0700 (PDT) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Wed, 26 Jun 2019 09:53:12 -0700 Message-Id: <8b5e68afc9767d8b6b966503e9353cadafae9bfb.1561566521.git.akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Subject: [OE-core] [thud][ 11/25] cairo: fix CVE-2018-19876 CVE-2019-6461 CVE-2019-6462 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton Source: OpenEmbedded.org MR: 97538, 97543 Type: Security Fix Disposition: Backport from https://git.openembedded.org/openembedded-core/commit/meta/recipes-graphics/cairo?h=warrior&id=078e4d5c2114d942806cd0d5ad501805a011e841 ChangeID: fa8bdd44ad8613bb0679a1f6d9d670c3b47a0677 Description: CVE-2018-19876 is a backport from upstream. CVE-2019-6461 and CVE-2019-6462 are patches taken from Clear Linux. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie [Dropped CVE-2018-19876, not affected] Issue was introduced in 1.15.8 by: commit 721b7ea0a785afaa04b6da63f970c3c57666fdfe Signed-off-by: Armin Kuster Signed-off-by: Armin Kuster --- .../recipes-graphics/cairo/cairo/CVE-2019-6461.patch | 19 +++++++++++++++++++ .../recipes-graphics/cairo/cairo/CVE-2019-6462.patch | 20 ++++++++++++++++++++ meta/recipes-graphics/cairo/cairo_1.14.12.bb | 2 ++ 3 files changed, 41 insertions(+) create mode 100644 meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch create mode 100644 meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch new file mode 100644 index 0000000..5232cf7 --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6461.patch @@ -0,0 +1,19 @@ +There is a potential infinite-loop in function _arc_error_normalized(). + +CVE: CVE-2019-6461 +Upstream-Status: Pending +Signed-off-by: Ross Burton + +diff --git a/src/cairo-arc.c b/src/cairo-arc.c +index 390397bae..f9249dbeb 100644 +--- a/src/cairo-arc.c ++++ b/src/cairo-arc.c +@@ -99,7 +99,7 @@ _arc_max_angle_for_tolerance_normalized (double tolerance) + do { + angle = M_PI / i++; + error = _arc_error_normalized (angle); +- } while (error > tolerance); ++ } while (error > tolerance && error > __DBL_EPSILON__); + + return angle; + } diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch new file mode 100644 index 0000000..4e4598c --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2019-6462.patch @@ -0,0 +1,20 @@ +There is an assertion in function _cairo_arc_in_direction(). + +CVE: CVE-2019-6462 +Upstream-Status: Pending +Signed-off-by: Ross Burton + +diff --git a/src/cairo-arc.c b/src/cairo-arc.c +index 390397bae..1bde774a4 100644 +--- a/src/cairo-arc.c ++++ b/src/cairo-arc.c +@@ -186,7 +186,8 @@ _cairo_arc_in_direction (cairo_t *cr, + if (cairo_status (cr)) + return; + +- assert (angle_max >= angle_min); ++ if (angle_max < angle_min) ++ return; + + if (angle_max - angle_min > 2 * M_PI * MAX_FULL_CIRCLES) { + angle_max = fmod (angle_max - angle_min, 2 * M_PI); diff --git a/meta/recipes-graphics/cairo/cairo_1.14.12.bb b/meta/recipes-graphics/cairo/cairo_1.14.12.bb index 18b9479..08026c4 100644 --- a/meta/recipes-graphics/cairo/cairo_1.14.12.bb +++ b/meta/recipes-graphics/cairo/cairo_1.14.12.bb @@ -25,6 +25,8 @@ DEPENDS = "fontconfig glib-2.0 libpng pixman zlib" SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ file://cairo-get_bitmap_surface-bsc1036789-CVE-2017-7475.diff \ file://0001-cairo-Fix-CVE-2017-9814.patch \ + file://CVE-2019-6461.patch \ + file://CVE-2019-6462.patch \ " SRC_URI[md5sum] = "9f0db9dbfca0966be8acd682e636d165"